00. Profiling Russia's U.S Election Interference 2016 - An OSINT Analysis 
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We've decided to take a closer look at the U.S Elecetion 2016 interference provoked by several 
spear phishing and malicious campaigns courtesy of Russia for the purpose of offering and 
providing actionable threat intelligence including possible attribution clues for some of the 
known participants in this campaign potentially assisting fellow researchers and Law 
Enforcement on its way to track down and prosecute the cybercriminals behind these 
campaigns. 


In this analysis we'll take a closer look at the Internet connected infrastructure behind the U.S 
Election 2016 campaign in terms of malicious activity and offer practical and relevant including 
actionable threat intelligence on their whereabouts. 


Sample malicious and fraudulent C&C domains known to have participated in the U.S 
Elections 2016 campaign: 


linuxkrni[.Jnet 
accounts-qooqle[.]Jcom 
account-gooogle[.]com 


accoounts-google[.]Jcom 
account-yahoo[.]com 
accounts-googlc[.]Jcom 
accoutns-google[.]Jcom 
addmereger[.]Jcom 
akamainet{[.]net 
akamaivirusscan[.]Jcom 
apple-icloud-services[.]Jcom 
apple-notification[.]com 
arabianbusinessreport[.]com 
azamtelecom[.]com 
babylonn[.]com 
baengmail[.]Jcom 
boobleg[.]Jcom 
chinainternetservices[.]com 
com-hdkurknfkjdnkrnngujdknhgfr[.}Jcom 
combin-banska-stiavnica[.]com 
cvk-leaks[.]Jcom 
fb-security[.Jcom 

g00qle[.]Jcom 
global-exchange[.]net 
googlesetting[.Jcom 
hibnk[.]Jcom 
homesecuritysystems-sale[.]Jcom 
icloud-localisation[.]com 
imperialcOnsult[.]com 
informationen24[.]com 
interglobalswiss[.]com 
intra-asiarisk[.Jcom 
invest-sro[.Jcom 
iphone-onlineshopping[.]net 
kur4[.Jcom 

lastdmp[.]Jcom 
localisation-apple-icloud[.Jcom 
localisation-apple-support[.]com 
localisation-mail[.]Jcom 
login-163[.]Jcom 
login-kundenservice[.]com 
magic-exchange[.]com 
mail-apple-icloud[.Jcom 
mailpho[.]Jcom 
malprosoft[.Jcom 
medicalalertgroup[.]com 
megafileuploader[.]Jcom 


mfadaily[.Jcom 
mfapress[.]Jcom 
militaryexponews[.]com 
msoftonline[.Jcom 
myaccountgoogle[.]Jcom 
myaccountsgoogle[.]com 
mydomainlookup[.]net 
mypmpcert[.]Jcom 
net-a-porter-coupon[.Jcom 
newiphone-online|[.]net 
newiphone-supply[.]net 
newreviewgames[.]com 
nobel-labs[.]net 
nvidiaupdate[.]Jcom 
obamacarerx[.]net 
onlinecsportal[.Jcom 
pass-google[.Jcom 
password-google[.]Jcom 
paydaytoday-uk[.]Jcom 
pb-forum[.]com 
planetaryprogeneration[.]com 
regionoline[.]com 
security-notifications[.]com 
service-facebook[.]com 
servicesupdates[.]com 
set121[.Jcom 

set132[.Jcom 

set133[.Jcom 
sicherheitsteam-pp[.]Jcom 
sicherheitsteam-pp[.]net 
skypeupdate[.Jcom 
smp-cz[.]Jcom 
soft-storage[.]Jcom 
solutionmanualtestbank[.Jcom 
ssl-icloud[.]Jcom 
team-google[.Jcom 
techlicenses[.]com 
techlicenses[.]net 
ua-freedom[.]com 
updates-verify[.]Jcom 
us-mg/mail-transferservice[.]Jcom 
us-westmail-undeliversystem[.]Jcom 
us6-yahoo[.]Jcom 
vatlcan[.]Jcom 


wordpressjointventure[.]com 
ya-support[.]Jcom 
yandex-site[.]com 
yepost[.]Jcom 


Related malicious and fraudulent emails known to have participated in the U.S Elections 
2016 campaign: 


julienobruno@hotmail.com 
jenna.stehr@mail.com 
s.simonis@mail.com 
domreg@24/7livesupport. biz 
kumarhpt@yahoo.com 
aksnes.thomas@yahoo.com 
yingw90@yahoo.com 
andre_roy@mail.com 
myprimaryreger@gmail.com 
okorsukov@yahoo.com 
tzubtfpx5@mail.ru 
annaablony@mail.com 
jamesyip823@gmail.com 
tmazaker@gmail.com 
emmer.brown@mail.com 
qupton@mail.com 
adel.rice@mail.com 
trainerkart2@gmail.com 
cowrob@mail.com 
direct2playstore@gmail.com 
cffaccll@mail.com 
drgtradingllc@gmail.com 
jack2020@outlook.com 
pdkt00@Safe-mail.net 
david_thompson62@aol.com 
distardrupp@gmail.com 
perplencorp@gmail.com 
spammer11@superrito.com 
jilberaner@yahoo.de 
snowyowl@jpnsec.com 
asainchuk@gmail.com 
OKEKECHIDIC@GMAIL.COM 
abelinmarcel@outlook.fr 
idesk.corp.apple.com@gmail.com 
mutantcode@outlook.fr 
pier@pipimerah.com 


vrickson@mail.com 
prabhakar_malreddy@yahoo.com 


Sample related email known to have participated in the U.S Elections 2016 campaign: 
jack2020@outlook.com 


soft-storage.com nvidiaupdate.com 
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Sample Maltego Graph of a sample malicious and fraudulent domain registrant known to have 
participated in the U.S Election 2016 campaign 


Sample related domains known to have participated in the U.S Elections 2016 campaign: 
support-forum[. Jorg 
oceaninformation[.]Jorg 
vodafoneupdate[.]Jorg 
succourtion[.]org 

eascd[.Jorg 
northropgruman[.]org 
apple-iphone-services[.]com 
localisation-security-icloud[.Jcom 
applesecurity-supporticloud[.Jcom 
icloud-iphone-services[.]Jcom 
icloud-id-localisation[.]com 
apple-localisation-id[.]Jcom 
identification-icloud-id[.]com 
cloud-id-localisation[.]com 
support-security-icloud[.]Jcom 
identification-apple-id[.]Jcom 
localisation-apple-security[.]com 
security-icloud-localisation[.Jcom 
dabocom[.]Jcom 
quick-exchange[.]com 
hygani[.]com 

hztx88[.]Jcom 


sddqgs[.]net 
qufu001[.]Jcom 
lutushiqi[.]com 
gsctgs[.Jcom 
tazehong[.]com 
hthgj[.Jcom 
kvistberga[.Jcom 
bjytj[.]Jnet 
cqhuicang[.]Jcom 
softbank-tech[.]com 
osce-press[.]org 
maxidea[.]tw 

sdti[.Jtw 

gmailcom[.]tw 

zex[(.]tw 
gain-paris-notaire[.]fr 
loto-fdj[.]fr 
client-amzon|[. fr 
idse-orange[.]fr 
rgraduzkfghgd[.]com 
jmhgjqtmhanoncp[.]Jcom 
stwdchstclovuzk[.]Jcom 
puxqtyrwzuzybgzehc[.]com 
maatil[.]com[.]ng 
surestbookings[.]com 
asatuyouth[.]Jorg[.]ng 
hannal[.]ng 
hostlink[.]Jcom[.]ng 
sirbenlimited[.]com 
dce[.]edu[.]ng 
eventsms[.]Jcom[.]ng 
krsbczmxwdsjwtizmx[.]com 
alizirwzyjazurof[.Jcom 
zslipanehule[.Jcom 
cxotonspmjkxw[.]Jcom 
wpifmhyjkxyt[.Jcom 
ngvsngpwdidmnr[.]com 
imperialvillas[.]com[.]ng 
lipyhgpofsnifste[.Jcom 
flexceeweb[.]com 
fgfcpkdcnebgduls[.]Jcom 
shinjiru[.Jus 
supportchannell[.]net 
couponofferte[.]com 


psepaperindustrial[.]com 
lakws[.]Jcom 
perplencorp[.Jcom 
Ibchemtrade[.]Jcom 
viaggibelli[.Jcom 
liontitco[.]Jcom 
svendiamo[.]Jcom 
orogenicgroup][.]com 
giudeviaggio[.]com 
greenskill[.]net 
siteseditor[.Jnet 
e-mail-supports[.]com 
biplen[.]com 
infradesajohor[.]Jcom 
dealhot[.]net 
suanmin[.]com 
on9on9J[.]Jcom 
accoutns-google[.]Jcom 
puroniq[.Jcom 
sinqa[.]Jcom 
sadihadi[.]Jcom 
mrangkang[.]com 
terumbu[.]com 
phygitail[.]com 
veraniq[.]com 
potxr[.]Jcom 
icraw[.]Jcom 
thearoid[.]Jcom 
teempo[.]Jcom 
parblue[.]Jcom 
mydomainlookup[.]net 
adrianvonziegler[.]net 
zetindustries[.]Jcom 
researchs[.]Jcom[.]ng 
joymoontech[.Jcom 
researchmaterials[.]com[.]ng 
james823[.]Jcom 
oneibeauty[.]net 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


